2 Replies Latest reply on May 6, 2010 10:05 PM by gaohoward

How to mask clear text password in configuration file?

gaohoward May 6, 2010 1:48 AM

In HornetQ the cluster connection account has its password stored in clear text. But sometimes user doesn't think it very safe.
Clear text password should be masked in some way. Although the cluster connection's password is stored in one place

<cluster-user>HORNETQ.CLUSTER.ADMIN.USER</cluster-user>
<cluster-password>CHANGE ME!!</cluster-password>

This account credential is used in two places. One place is in the Security Manager. It uses the information to authenticate against a connection request. The other place is in making the cluster connection to a HornetQ node.

At security manager side, we can use one-way hash of the password in the configuration file. On receiving a connection request, it simply compares the hash of the password with the hash loaded from configuration.

At client side, we cannot use one-way hash because we need the clear text password to pass to the server to be connected. I'm thinking using a two way (symmetrical) encryption method. But another problem is those encryption itself requires a key or password to do the encryption/decryption, and this key shouldn't be fixed and cannot be clear text either.

This is also the case with JBoss Messaging's Sucker's password. In JBoss AS 5+ it can be configured to inject an external security manager that can handle clear text password issue. However that only solves half of the problem. The client side still need a solution.

Any ideas?

Howard

1. Re: How to mask clear text password in configuration file?

timfox May 6, 2010 4:08 AM (in response to gaohoward)

It doesn't make sense to do this.

If a hacker has access to the server machine then all bets are off anyway.
Actions
2. Re: How to mask clear text password in configuration file?

gaohoward May 6, 2010 10:05 PM (in response to timfox)

It turns out to be not valid. Thanks.
Actions

Go to original post